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1. Introduction and Cone pts 
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1.1 PC Architecture 
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□ Figure 1 -1 Components of the PC 
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1.2.2 Core RTM (CRTM) 




1.2.3 Central Processing Unit (CPU) 




1.2.5 tnitial Progfarei Loafifer (iIPL) 
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1.2.6 Manufacturer 




1.2.8 Motherboard 



1.2.9 Pre-Boot State 



1.2.10 Post-Boot State 



1.2.11 Platform 



' Primary peripheral device refers to devices which directly attach to an directly Interact with the CPU. Examples are PCI cards. LPC 
components, USB Host controller and root hub. attached serial and parallel ports, etc. Examples of devices not included in this dass 
are USB and IEEE 1394 devices. 
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1.2.12 Platform Reset 




(caused by a TPM^Init). Upon a Platform Reset the CPU M^UST begin execution at ti^e CWtfiA, This 
event WUST cause a PCI^Reset. Unless otherwise stated, the result of a Platform Reset MUST 
cause the equivalent of transitioning the motherboard from the S5 state (i.e.. It may not cause a 
transition from S3.) 



1.2.13 System 
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1.3 Concepts 
1.3.1 Immutable 

In this specification immutable means that in order to maintain trust In the Platform, the replacement 
or modification of code or data MUST be performed by a Platform manufacturer-approved agent and 
method. This allows a manufacturer to establish an upgrade method for the portion of the Platfomi 
which is the CRTM with consideration of the security properties of the Platform's Protection Profile. 



1.3.2 Trusted Building Block (TBB) 

The combination of the CRTM, TPM, connection of the CRTM to the motherboard, and the 
connection of the TPM to the motherboard. The connection of the CRTM to the TPM is done through 
transitive trust of the CRTM connection and the TPM connection. 

Since the CRTM and the TPM are the only trusted components of the Motherboard and since 
indication of physical presence requires a trusted mechanism to be activated by the platform owner, 
the indication of physical presence MUST be contained within the TBB. 



1.3.3 Platform Reset Types 
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For ail types of Platform Resets the CPU SHALL begin executing code with the CRTM's Platform 
initialization code. The Platform MUST perform a Platfomi Reset No System component SHALL 
block the PCLReset signal to any of the System components. 



1.3.4 Core RTIVI (CRTM) 

The Core Root of Trust for Measurement (CRTM) MUST be an immutable portion of the Platfomi's 
initialization code that executes upon a Platform Reset. The Platform's execution MUST begin at the 
CRTM upon any Platform Reset. 

The trust in the Platform is based on this component. The trust in all measurements is based 
on the integrity of this component. 

Currently, in a PC, there are at least two types of CRTM architectures: 
• CRTM is the BIOS Boot Block. 



fei (is^mmmm i^nT?) w(m m mw^^ © WQm itsM m^^^ -fi iKoYinr mm. m^i^, ^-^m mm 
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The Manufacturer fylUST control the uptdate» rnqdj^catipny and mafhtj^anGei d1gthe'BI@S;Bpot 
Block conrrponent. while either the Manufacturer or a ^'^'party supplier may U|3i3ate» modify, or 
maintain the POST BtOS component. If there are multiple execution pofnts for the BIOS Boot 
Block, they must all be within the CRTM. 



• CRTM is the entire BIOS 




The Manufacturer MUST control the update, modification. and^mMr^mni^b oftto^k&iie Bids 



1.3.5 Spot State Ti^nsttipn 

The transition t)etween Pre-Boot and Post-Boot states is the first invocation of INT 19h or equivalent. 

1.3.6 Establishing the Chain of Trust 
1.3.6.1 Bindings 

1.3.6.1.1 Bindings between an Endorsement Key, a TPM, and a Platform. 

The relationship between the Endorsement Key, a TPM. and a Platform is described in Section 2.2 of 
the TCPA Main Spedfteation. 



1 . 3.6.1.2 Binding.MetfoQAs 
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2. Int grity Collection & Reporting 

2.1 Concepts 

2.1.1 initial TBB controi and Platform Reset 

Upon Platfomi Reset the CRTM MUST have control of the TBB. 

2.1.2 Transferring Control 

Prior to transferring control an executing entity MUST measure the entity to which It will transfer 
control. 

2.2 PCRUsape 
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End of Informative comment. 

Summary of the defined PGR usage: 



PGR 
Index 


PGR Usage 


0 


CRTM. BIOS and Platform Extensions 


1 


Platform Configuration. 


2 


Option ROM Code. 


3 


Option ROM Configuration and Data. 


4 


IPL Code (usually the MBR) 


5 


IPL Code Configuration and Data (for use by the IPL code) 


6 


State Transition and Wake Events 


7 


Reserved for future usaae. Do not use. 



2.2.1 PCR[0] - CRTM, POST BIOS and Embedded Option ROMs 



Entitles that MIUST be IMeasured: 
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• Tlie CRTM's version identifier. 

• Aii firmware physicatiy bound to the motherboard 

• Manufacturer Controlled Embedded Option ROMs 

These are Embedded Option ROMs whose release and update is controlled by the 
Manufacturer. 

• Embedded SMM code and the code that sets it up. 

• ACPI flash data prior to any modifications. 

• BIS code (excluding the BIS certificate). 
Entitles that MAY be Measured: 

• Any other code or information that Is relevant to the CRTM, POST BIOS or Platform 
Extensions. 

Method for Measurement for a Compound BIOS: 

The CRTM performs these measurements as follows: 

1 . Log the CRTM's version identifier. 

2. Measure the code to which the CRTM is transfemng control. 

The POST BIOS may need to reconstruct events that could not be recorded due to the 
unavailability of memory. If it does so it places this Information into the Event Log and MUST r 
NOT extend PCR[0] with this reconstructed information. 

3. The remaining measurements MAY be performed in any order. 

Method for Measurement for an Integrated BIOS: 

The CRTM performs these measurements as follows: 

1 . Log the CRTM's version identifier. 

2. The CRTM measures the remainder of the All BIOS firmware. * 
2.2.2 PCR[1] - Motherboard Configuration 




Entities that M^ST be Measured: 

The following entities MUST always be measured. These MUST NOT be disabled: 
• If the BIOS loads a CPU microcode update, it is measured. 
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• Platform Configuration including the stat of any disable flags affecting the measurement of 
entities into this PCR. 

Entities that IMAY be IMeasured: 

The following entities MUST be measured if measurement of the following entities is enabled by 
the system. These MAY be Disabled: 

• BIS certificate. 

• POST BIOS-Based ROM strings. 

Entities that iMAY be Measured 

While the code to implement the above entities is mandatory, the code to implement 
measurement of these entities is optional. It Is not required to measure the components of the 
following that contain privacy information but if Implemented, the rest of the information MUST be. 

• ESCD. CMOS and other NVRAM data 

• SMBIOS structures 

• Passwords 

Entities that iiflUST NOT be iVIeasured 

• Values and registers that are automatically updated (e.g., clocks). 

• System unique information such as asset, serial numbers, etc.: 

iMethod for Measurement: 

The BIOS performs these measurements as follows: 

1 . The entities specified In this PCR MAY be measured in any order deemed appropriate by the 
implementer. Where possible these measurements SHOULD occur prior to measuring Option 
ROMs. 

2.2.3 PCR[2] - Option ROM Code 



























Wmm ®0m m^^^ m^^^^-- 













Any application that modifies the Option ROM code MUST measure the new code into PCR[2] or 
cause a Platform Reset. 
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Entities to be IMeasured: 

• The portion of the Option ROM that Is visible to the BIOS. 

• The portion of ttie Option ROM that Is not visible to the BIOS Is measured by the Option 
ROM. 

• Non-Manufacturer Controlled Embedded Option ROMs 

These are Embedded Option ROMs that are physically contained on the Motherboard (as 
opposed to an add-in card) but the release and control of any update Is not controlled by the 
(Motherboard) Manufacturer. 

Method for Measurement: 

The BIOS perfomis these measurements as follows: 

1 . Log the event OptionROMExecute for each option ROM. 

2. The entities specified In this PCR MAY be measured In any order deemed appropriate by the 
implementer. 

3. Repeat until all Option ROMs are measured and executed. 

Option ROMs perform these measurements as follows when they execute: 

1 . Measure tiie event "Un-hlding Option ROM Code" when urvhiding Option ROM code. 

2. Measure tiie "hidden" Option ROM Code. 

2.2.4 PCR[3] - Option ROM Configuration and Data 



Any application that modifies the Option ROM configuration MUST measure the new configuration 
into PCR[3].or cause a Blatform Reset. 

Entities to be Measured: 

• Configuration data specific to Option ROM or the adapter that hosts the Option ROM. 

• Otiier data, including comments, specific to Option ROM or the adapter that hosts the Option 




ROM. 



Method for Measurement: 



The Option ROM or Application performs these measurements as follows: 

1 . Measures the event OptionROMConfig. 

2. Measure any of the above in any order while executing. 



2.2.5 PCR[4] - iPL Code 
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Entities to be M asur d: 

• Each IPL that Is attempted and executed. 

• Additional code that is loaded by the IPL. 
Entities to Exclude: 

• Portions of IPL pertaining to the specific configuration of the platform, (e.g., disk geometry In 
the MBR). 

n/lethod for Measurement: 

See section 6.2.3 Logging of Boot Events for further detail. 
The BIOS performs these steps as follows: 

1 . Measure EV.ACTION with the relevant event. 

2. Measure the IPL Code. 

3. If control returns to the BIOS, measure that event. 

4. Goto Step 1. 

A complete description of the method for measuring is found in Section 6 IPL Code, Power 
States, and Transitions 

2.2.6 PCR[5] - IPL Configuration and Data 
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Entities to be IMeasured: 



• Ail relevant IPL configuration data. 

• Static data contained within the IPL Code (e.g., disk geometry) 

Method for Measurement: 

The IPL code measures all relevant IPL configuration data per its defined events. 

The BIOS measures the static data as events defined in Section 7.2.2 Platform Specific Event 
Log 

2.2.7 PCR[6] - State Transition 
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Entities to be Measured: 

• Wake Events 

• Alt relevant State Transitions. 

Method for Measurement: 

Wake events are measured by the Pre-Boot components as defined in Section 7.2.2 Platform 
Specific Event Log 

State Transitions are measured by the Post-Boot components as defined in Section 7.2.2 
Platform Specific Event Log 



2.2.8 PCR[71 - Reserved 
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3. Platform S tup and Configuration 

3.1 Pre-Boot ROM-based Setup 

Upon completion, this setup utility MUST perfonn a Platform Reset. This includes setup utilities 
provided by both the motherboard-based BIOS and Option ROMs. 

Entry into this state is measured as event "Entering ROM Based Setup". 

3.2 Post-Boot ROIM-based Setup 



The setup utility MUST NOT allow changes to platform configuration unless the Post-boot 
environment can measure the event or the setup utility provides a mechanism to notify the Post-Boot 
OS that a change occurred. 

3.3 Reference Partition / 

This is treated as IPL code. The setup utility within the reference partition MUST measure events that 
affect platform configuration. 

3.4 OS Based Setup Utility 

The setup utility MUST measure events that affect platform configuration. 
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4. IV^ainti^nari^e 




Implementation of Maintenance is optional, if it is implemented it MUST be impfemented as defined In 
this section. 



4.1 BIOS Reeovery N/tacle 




it MUST NOT be possible for a BIOS Recovery Mode to allow impersonation of another valid boot 
state. This applies to the values in the pre-Boot PCRs. Upon completion, the BIOS Recovery Code 
MUST cause a Platform Reset. 



4.2 Flash Maintenance 
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4.2.1 Manufacturer Approved Environment (MAE) 



























o: 













The CRTM MAY be updated while in MAE. 
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4.2.2 Non-Manufacturer Approved Envir nment (NMAE) 



The CRTlOi MAY NOT be updated while in NI\^AE. 
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5. TCPA Credentials 

All TCPA Credentials MUST be represented as Certificates as defined in Section "9.5 instantiation of 
Credentials as Certificates'* in the Main TCPA Specification. 

5-1 Watforni CeFtificate 

Distnbution is manufacturer controlled. 

5.2 Platform Cdnfornfance Cerlificdfe 

Distribution is manufacturer controlled. 

5.3 Method of Verificatian 

Verification of the entity against the hash value within the Validation Certificate is not required. If 
perfi pnn ed, tlig haSh withirrthe Vsyidatipn Ceitiflcate must include the entire Validation Certificate 
Reader excfudrng the VaUdaBbh bertificate itsilf. 



5.4 Validation Certificate Header 

If present the Validation Certificate will be contained within the Option ROM header as specified 
below according to the "Plug and Play BIOS Specification". 



,@!i^[[@^kv,r 






Oh 


DWORD 


TCPA (ASCII) 


Signature 


04h 


BYTE 


Olh 


Structure Revision 


05h 


BYTE 


Varies 


Length (in 16 byte increments) 


06h 


WORD 


Varies 


Offeet of next Header (0000 if none) 




BYTE 


Varies 


Num6^r of slgfniiife. Valuer #O fridicates eritire visible portion 
of Option ROM exduding the Validation Certificate 




WORD 


Varies 


Offset to 1^' segment inctuded in Validation Certificate hash 




WORD 


Varies 


Len3tl>1 of segment Incttided In Validation Certificate hash 








Repeat for miftBer of segments. 










??h 


BYTE 


OFFh 


Reserved 


??h 


BYTE 


Varies 


Checksum of this entire header as specified in the Plug and 
Play BIOS Specification 


??h 


Varies 


Varies 


Validation Celrti'ficate 
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6. IPL Code, Power Stat s, and Transitions 

6.1 Architecture and Definitions 
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6.2 Procedure for Transitioning the TPIVI from Pre-Boot to Post-Boot 



6.2.1 Extending PCR14] - The IPL Code 
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6.2.2 Extending PCR[5] - IPL Configuration and Data 
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Prior to callingiJrtM Sh. the everit'lV.SlP%l^5FGR SmLL be measured to the pre=bo0t PCRs 
(PCR[0-71). This SHALL be folldwedifay rileasunng the event 'C^ling INT 19h" to PCRpj. If a boot 
device returns, an event indicating the nature of the return SHALL be measured to PCR[4J. 
Subsequent attempts to boot SHALL measure the boot device to PCRI4] and the event 
EV^SEPARATOR to the pre-boot PCRs {PCRIO-7]). 
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6.3.1 definitions and C ndltions during Power States 




6.3.1.1 81: Stand-by - Low wakeup latency sleeping state 

TPM State: Fully worthing, because the TPIVi is still under power during SI sleep state. 
Entering SI : Nothing to do. 
During S1 : Nothing to do. 
Exiting SI : Nothing to do. 



6.3:T:2~B2rSlaHa.BV With CPU context lost 

TPM State: Fully working, because the TPM Is still under power during S2 sleep 
Entering S2: Nothing to do. 
During S2: Nothing to do. 
Exiting S2: Nothing to do. 



6.3.1.3 S3: Suspend To Ram 

1PM State: S3 is the most complex mode to handle, because PCR values are to be preserved by. 

the platform during this mode. The mechanism to preserve the values cannot be 
accessible outside the TPM. During S3 the TPM must prohibit all TPM functions. 

Entering S3: The post-boot driver MAY issue the TPM.SaveState. 

Chiring S3 : May have power. This is hardware design dependent If the TPM has the ability to 
preserve the contents of the PCRs without power, no power is needed to the TPM. 
However, if the TPM cannot maintain the contents of the PCRs without power, the 
Motherboard MUST provide sufficient power to the TPM to maintain the PCRs. 

Exiting S3: The command to restore the PCRs is issued by the CRTM. 

6.3.1.4 S4 OS: Suspend To Disic 

TPM State: All power, including auxiliary, is removed. 

Entering S4: Nothing to do. 

During S4: The TPM is off - Nothing to do. 

Exiting S4: The PCRs will be lost, including the PCRs used by the OS, therefore the OS must 

establish new integrity. The OS. therefore, cannot attest to its original power-on state. 



6.3.1.5 84 BIOS: Suspend To DisIc 

TPM State: All power, including auxiliary, is removed. 
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Entering S4: Nothing to do. 

During S4: The TPM is off - Nothing to do. 

Exiting 34: The PCRs will be lost, including the PCRs used by the OS, therefore the OS must 
establish new integrity. The PGR contents may be different from S4 from OS. 



6.3.1.6 SS: Off State 

TPM State: All power, including auxiliary, is removed. 

Entering 35: Nothing to do. 

During 35: The TPM is off - Nothing to do. 

Exiting 35: The PCRs will be lost, including the PCRs used by the OS, therefore the OS must 
establish new integrity. 



6.3.2 Power State Transitions 



In the following pseudo code is a suggested set of implementation that generalized the control flow of 
the motherboard during the pre-Boot state. Not all conditions and error states are included.:This 
intended only as a guide. 



6.3.2.1 S5 so 













Starting from a power off state. 

MAInitTPM (stType = TCPA_ST_CLEAR) 



if (MAInitTPM returned OK) 
{ 

MAHashAllExtendTPM(CRTM version, PCR[0]) 

} .... 

else // MAInitTPM returned Error 
MAInitError : 

{ 

if (PMInitCRTMO indicated TPM failure) 
{ 

// Keep communication path open. 

GoTo POST_BIOS // Transfer control to POST BIOS. 

} 

else // Assume commiinication path failed 

{ 

if (Disable TPM Interface is provided) 

{ 

Disable Interface to TPM 

} 

else 
{ 
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Disable the platform 

} 

} 

} 

if (Normal boot) 
{ 

MAHasbAllBxtendTPM (Initial POST BIOS, FCR[0]) 
GoTo POSTBIOS // Transfer control to POST BIOS 

} 

// Note: the following else cluase is optional depending if either the 
// BIOS Recovery Mode or a Utility requiring physical presence 
// indication from the boot state is part of the motherboard's design, 
else if (executing BIOS Recovery Mode) 

MAHasbAllBxtendTPM (BIOS Recovery Code, PCR[0]) 
GoTo BIOS_Recovery_Code 

else if (indication of physical presence given to BIOS) 

if (Platform requires physical presence during 
"Boot state) 



{ 



MAHasbAllBxtendTPM (Utility, PCR[0]) 

MAPhys i cal Pr esenceTPM ( TCPA_PC_PHYS ICAL_PRBSENCE_MASK_SW | 

TCPA_PC_PHYS I CAL_PRESBNCE_PRESENT ) 
GoTo Physical_Presence_Utility 



} 



POST_BIOS : 

TCPA_StatusCheck 0 

Optionally TCPA_PassThroughToTPM (TPM_DisableOwnerClear) 
Optionally TCPA_PassThroughToTPM (TPM_DisablePorceClear) 

If (Embedded Option ROMs) 

TPMHashAllExtendCRTM (Embedded Option ROMs, PCR[0]) 

TCPA_HashLogExtendEvent (Platform Configuration, PCRCU) 

While (Unexecuted Option ROM present) 

TCPA_HashXiOgExtendEvent (Visible Portion of Option ROM, PCR[2}) 
Transfer control to Option ROM. 

INT_18 : 

Choose next I PL Code 

TPMHashAllExtendCRTM (PCR [4] , Chosen IPL Code) ^ 
TPMHashAllExtendCRTM (PCR [0-7] , EV_Separator) 
TPMHashAllExtendCRTM (PCR [4] , ^Calling INT 19h") 
INT 19h // To Execute IPL Code 

IPL: 

TCPA_HashLogExtendEvent (IPL Configuration Data, PCR [5]) 
Transfer Control to OS Loader 
if (OS loader fails to load OS) 
GoTo INT_18 
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BIOS_Recovery__Code : 

Transfer control of platform to BIOS Recovery Code 
When complete perform Platform Reset 

Physical_Presence_Utility : 

Transfer control of platform to Utility Requiring Physical Presence 
When complete perform Platform Reset 

END 

6.3,2.2 SI SO 




No Action 
6-3.2.3 S2 SO 



No Action 
6.3.2.4 S3 SO 



CRTM MUST be able to determine if there has been an update to any portion of the BIOS since the 
previous transition from S5. If the CRTM detects a modification to BIOS since the last transition from 
S5, the CRTM MUST either: 

• Force the platform to transition to S5, or 

• Make the contents of PCR[0] invalid. 
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MAInitTPM (stType =» TCPA_ST_STATE ) 

If MAInitTPM returned OK 

{ 

If BIOS modified since last S5 
{ 

Force transition to S5 . 
or 

Invalidate PCR[0] . 

} 

Transfer control to the OS. 

} 

else 

{ 

Force transition to S5. 

GoTo MAInitError in 6.3.2,1 S5 SO 

} 




Same as S5->S0 except IPL loads the saved memory image. 
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7. Event Logging 
7.1 ACPI Table Usage 



Root System 

Description 
Potnter Structure 




Fixed ACPI 
Description Table 



FIRIVI 

DSDT 

BLKs 



Root System 
Description Table 





FACP 
TCPA 



Differentiated System 
Description Table 




tCf^A LOG 
POINTER 




ACPI NorvRedaimable 
Area 



* Driver 



A ACPI ) 
Driver V 



ENTRY 1 



ENTRY 2 



ENTRY n 



Fimiware ACPI 
Control Structure 



wake vector 
shared locic 



Figure 7-1 ACPI Structure 
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H9iHIHH 








Header 








oignaiure 


4 


u 


1 v^rA . oignature tor the TCPA Taule. 


Length 


4 


4 


Length, In bytes, of the entire TCPA Ta}}je. Jhe 
length implies the number of Entry fields at the end 
of thie table. 


Revision 


1 


8 


1 


Checksum 


1 


9 


Entire table must sum to zero. 




O 


10 


For instance: HPINyT^ 


OEM Table ID 


8 


16 


For the TCPA Table, the table ID is the 
manufacture model ID. 


OEM Revision 


4 


24 


OEM revision of TCPA table for supplied OEM 
Table ID. 


Creator ID 


4 


28 


Vendor ID of utility that created the table. 


Creator Revision 


4 


32 


Revision of utility that created the table. 


Reserved 


2 


36 


Reserved for future assignment by this . . 
specification, set to OOOOh. - - 


Log Area Maximum 
Length (LAML) 


4 


38 


Identifies the maximum length (in bytes) of the 
system's pre-boot TCPA event log area. 






Note: For TCPA 1.1, this maximum log size is 
64KB. 


Log Area Start 
Address (LASA) 


8 


42 


Contains the 64-bit physical address of the start of 
the system's pre-boot TCPA event log area, in 
QWORD fomnat. 

Afofe: The log area ranges from address LASA to 
LASA+(LAML-1). 



7.2 Measurement Event Log 

























O^^-a AC"^ 1^ c3 



















The Instantiation of the event log is an array of TCPA_PCR_EVE^JT structures as defined below. 
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7.2.1 Platform Independent Event L g Structure 

Platform Independent events SHALL be done using the events identified in the TCPA Main 
Specification. Examples of these are Validation Certificates. These are logged using the 
EV.CODE^CERT event type. 



7.2.2 Platform Specific Event Log 

For the events described in this section the EventType SHALL be EV_PLATFORM_SPECIFIC and 
the event field within the TCPA_PCR_EVENT structure SHALL be the 

PlatfonmSpecificEventLogStruct as defined in Section 7.2.2.1 Platfonm Specific Event Log Structure. 



7.2.2.1 Platform Specific Event Log Structure 

The Events shall be the following structure. 

PlatformSpecif icEventLogStruct STRUCT 

Event ID DD ? / Tag as defined in 

Section 7.2.2.2 Platform Specific Event Tags 

EventDataSize DD ? / Size of EventData 

EventData DB ? / EventData 

PlatformSpecif icEventLogStruct ENDS 

7.2.2.2 Platform Specific Event Tags 

The EventID and EventE)ataSize elements are represented in big endian format. 



7.2.2.2.1 SMBIOS structure 

Each event MAY consist of one or more complete SMBIOS records. This event may appear multiple 
times in the event log. The SMBIOS structure SHALL be logged using the following: 

EventID = 0001 h 

EventDataQ = One or more raw complete SMBIOS records. 



7.2.2.2.2 BiS Certificate 

The BIS Certificate SHALL be logged using the following: 

EventID = 0002h 

EventDataQ = Raw BIS Certificate 



7.2.2.2.3 POST BIOS ROM Strings 

The BIOS ROM Strings SHALL be logged using the following: 

EventID = 0003h 

EventDataQ = Hash of POST BIOS ROM Strings 



7.2.2.2.4 ESCD 

The ESCD SHALL be logged using the following: 

EventID = 0004h 
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EventDataQ = Hash of ESCD Data 

7.2.2.2.5 CMOS 

The CMOS SHALL be logged using the following: 

EventlD = OOOSh 

EventDataQ = Raw CMOS Data 

7.2.2.2.6 NVRAM 

The NVRAM SHALL be logged using the following: 

EventlD = 0006h 

EventDataQ = Raw NVRAM contents 

7.2.2.2.7 Option ROM Execute 

The BIOS logs the execution of each Option ROM into PCR[2] using the following: 

EventlD = OOOTh 

EventDataQ = OptionROMExecuteStaicture(including the PFA) 

7.2.2.2.8 Option ROM Configuration 

Option ROMs log events into PCR[3J using the following: 

EventlD = OOOSh 

EventQ = OptionROMConfigStructure( include PFA) 

7.2.2.2.9 Option ROM Microcode Update 

Option ROMs log events into PCRI2] using the following: 

EventlD = OOOAh 

EventQ = Hash of Microcode that will be loaded. 



Version 1.00 September 09. 2001 

TCPA PC Specific Impiementation Specification 



Copyright TCPA 2001 



TCPA PC Specific Specification Final Page 36 



7.2.3 EV^ACTION Event Types 

The following actions strings are defined. The strings below are enclosed in quotes for clarity; the 
actual log entries SHALL not include the quote characters. They SHALL be logged using the 
following: 

EventType = EV.ACTION 

EventQ = ASCII string of the following: 



String 


Purpose and Comments 


PGR 


"Calling INT 19h" 


BIOS is calling INT 19h. If no additional strings 
posted in log that means that the software which 
'hooked' the INT 19 vector did not retum control 


4 


"Returned INT 19h" 


BIOS Received control back from prior INT19h 
invocation. 

If thip r^flilpri mdp not TOPA-r^wnrp H nririv hrivp 

loaded additional unmeasured code. However 
there is a log entry showing entry to (and 
measurement of) untrusted code. 


4 


"Return via INT 18h" 


BIOS Received control back via INT 18h 

If the called code is not TCPA-aware It may have 
loaded additional unmeasured code. However 
there is a log entry showing entry to (and 
measurement of) untrusted code. 


4 


"Booting BCV Device s" 


BIOS is IPUBooting a BCV Device. 

The value *s' is a ASCII string that unambiguous 
describes the boot device. This SHOULD include 
an indication of logical or physical device location 
and any ID string retumed by the device. 


4 


"Booting BEV Device s" 


BIOS IS IPL/Booting a BEV Device. 

The value 's' is an ASCII string supplied by the 
BEV device. 


4 


"Entering ROM Based Setup" 


BIOS is entering ROM based Setup during pre- 
boot environment. 


0 


"Booting to Parties N" 


BIOS is IPL/Booting from a Parties Partition #N. 

The value n is the actual numeric value of the 
partition number represented as a printable 
ASCII hex value, (e.g. partition zero would get 
the string value "0"). Where N is the index into 
the BEER table. 


4 


"User Password Entered" 


User has entered the correct user password. 


4 


"Administrator Password Entered" 


User has entered the correct administrator 
password. 


4 


"Password Failure" 


The typed password did not match the stored 
password after a specified number of retries. 


4 
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"Waka Evant n" 


where n is the WfM wake source (e.g. wake 
sounse zero would^et the string value "0"). 


1 


"BootSequenceUser 
Irttieivention** 


^Us^r sUte'ned^iieboot sequence 




"GhassisJntruslon" 


The case was opened. 


1 


"Non Fatal Error" 


A non-fatal POST error (e.g. keyboard failure) 
was encountered. This Is any error that allows 
the system to continue the boot process 


1 


"Start Option ROM Scan" 


BIOS has started the Option ROM scan. 


2 


"Unhiding Option ROIVI Code' 


Unhiding Option ROM Code 


2 


"<OpRom Specific non-IPL 
String>" 


An Option ROM vendor specific string for non- 
Boot/IPL events. 


3 


"<OpRom Specific IPL String>" 


An Option ROM vendor specific string for 
Boot/IPL events. 


5 
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©^;/i3' info- ^ n\- ^^C^) ^--.C^X^^ (^ir^^Xfri^m^m ••:ji^;>^^ii-'^f fi^- 



ENTRYI 



ENTRr2 





TCPA Application Interface 


1 4 1 





TCPA^BlosOofnplete 



-Log- 



EhfTFYn 



TCPA_HashLogExtendB/ent 



-Extend> 



TCPA^PassThmughToTPM 



Softv^are 



TCPAJTSS 



Pr&-BootDriyfer Interface 



T 



HardNAare 



7PM 



Figure 8-1 Pre-Boot Interfaces 
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This interface only supports up to 4GB of physical address space. 



8.1.1 General Calling Convention 

Each function below will have the following general calling convention: 
On entry: 

(AH) = BBh 

(AL) = Function selector, see below 

(ES) = Segment portion of the pointer to the input parameter block 
(Dl) = Offset portion of the pointer to the input parameter block 
(DS) = Segment portion of the pointer to the output parameter block 
(SI) = Offset portion of the pointer to the output parameter block 
(EBX) = TCPA(41504354h) 
(ECX) = 0 
(EDX) = 0 

On return: 

(EAX) = Return code. If (AH) = 86h the function is not supported by the system. 
(DS:SI) = Modified based on specific function called 

All other register contents including upper words of 32-bit registers are preserved. Note that this 
cannot be guaranteed if (AH) = 86h because the call could be made on a pre-TCPA BIOS. 
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8.1.2 Return C des 

The following are the defined en-or codes th pre-Boot functions MAY return: 









TCPA^PC.OK 


OOOOh 


The function 

returned 

successful. 


TCPA^PC_TPMERROR 


TCPA_PC.OK + Olh 1 (TPM driver emjr « 16) 


TheTPIVI 
driver returned 
an error. The 
upper 16 bits 
contain the 
actual error 
code returned 
by the driver as 
defined in 
Section 8.2.3.6 
Enror and 
Return Codes. 


TCPA_PC_LOGOVERFLOW 


TCPA-PC_OK + 02h 


There is 
insufficient 
memory to 
create the log 
entry. 


TCPA_PC_UNSUPPORTED 


TCPA^PC.OK + 03h 


The requested 
function is not 
supported. 
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8.1.3 TCPA.StatusCh ck 
INT lAh (AH)=BBh, (AL)=O0h 

This function call verifies the presence of the TCPA BIOS interface and provides the caller with the 
version of TCPA BIOS SpjBCifiG^Jion to which the implementation complies. If required, IWPInitTPM 
MAY be called to initialize the MP Driver during the first invocation of this function.. 

On entry: 

(AH) = BBh 

(AL) = OOh 



On return: 

(EAX) = Return code. Set to OOOOOOOOh if the system supports the TCPA BIOS calls. 

(EBX) = TCPA' (41504354h) 

(CH) = TCPA BIOS Major Version (01 h for version 1 .0) 

(CL) = TCPA BIOS Minor Version (OOh for version 1 .0) 

(EDX) = BIOS TCPA Feature Flags 

(ESI) = Pointer to the Event Log 



Nofe: The caller must assume that no registers are preserved by the call, since the call might 
be made in an unsupported system environment. 
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8.1.4 TCPA_.HashLogExtendEv nt 
INT 1Ah, (AH)=BBh, (AL)=01h 

This function performs the functions of the: TSS^HashAII, TPM_Extend. and TSS.LogEvent 
operation for the data region specified by the caller. The caller should verify the availability of this 
function by issuing a previous call to the Presence Check function, that way the caller can be assured 
that calls to this function preserve the register contents (including the upper 16 bits of 32-bit 
registers). 

On entry: 

(AH) = BBh 

(AL) = 01 h 

(ES) = Segment portion of the pointer to the HashLogExtendEvent input parameter block 

(Dl) = Offset portion of the pointer to the HashLogExtendEvent input parameter block 

(DS) = Segment portion of the pointer to the HashLogExtendEvent output parameter block 

(SI) = Offset portion of the pointer to the HashLogExtendEvent output parameter block 

(EBX) = TCPA'(41504354h) 

(ECX) = 0 

(EDX) = 0 

On return: 

(EAX) = TCPA^STATUS 

(DS:SI) = Referenced buffer updated to provide return results. 
All other registers are preserved. 

8.1.4.1 HashLogExtendEvent Input Parameter Block 











OOh 


WORD 


IPBLength 


The length, in bytes of the input parameter block, set a 
minimum of 0018h 


02h 


WORD 


Reserved 


Reserved for future definition by this specification, set to 
OOOOh. 


04h 


DWORD 


HashDataPtr 


The 32-bit physical address of the start of the data 
buffer to be hashed, extended, and logged. 


08h 


DWORD 


HashDataLen 


The length, in bytes, of the buffer referenced by 
HashDataPtr. 


OCh 


DWORD 


PCRIndex 


The PCR number to which the hashed result is to be 
extended. 


14h 


DWORD 


LogDataPtr 


The 32-bit physical address of the start of the data 
buffer containing the TCPA_PCR_EVENT data 
structure. 


18h 


DWORD 


LogDataLen 


The length, in bytes, of the TCPA.PCR.EVENT data 
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2 Ma 


shLogEx 


tenctEvent Outpi 


structure, 
jt Parameter Block 


juQff set I 






f.-tl^,epJbl>l^,Uyi:I^:^-5 > ;:<j^ .c '4 ' ■ ^ - • , .//^^ 1- . 


OOh 


WORD 


OPBLength 


Thie length, in bytes, of the output parameter block, a 

minimum of 0048h. 


02h 


WORD 


Reserved 


Reserved for future definition by this specification, set to 
OOOOh. 


04h 


DWORD 


EventNumber 


The event number of the event just logged. 


08h 


20 

BYTEs 


HashValue 


The TCPA_HASH result of the HashAII function. 
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8.1.5 TCPA^PassThroughToTPM 
INT 1Ah, (AH)=BBh, (AL)-02h 

Tiiis function provides a pass-through capability from the caller to the system's TPM. Refer to the 
TPM implementation appendix of the Main TCPA Specification for Input/output parameter block 
formats. The caller should verify the availability of this function by issuing a previous call to the 
Presence Check function, that way the caller can be assured that calls to this function preserve the 
register contents (including the upper 16 bits of 32-bit registers). 

The TPM in and out Operands are defined in the Main Specification. 

On entry: 

(AH) = BBh 

(AL) = 02h 

(ES) - Segment portion of the pointer to the TPM Input parameter block 

(Dl) = Offset portion of the pointer to the TPM input parameter block 

(DS) = Segment portion of the pointer to the TPM output parameter block 

(SI) = Offset portion of the pointer to the TPM output parameter block 

(EBX) = TCPA*(41504354h) 

(ECX) = 0 

(EDX) = 0 

On retum: 

(EAX) = TCPA^STATUS 

(DS:SI) = Referenced buffer updated to provide retum results. 
All other registers are preserved. 

8.1.5.1 TPM Input Parameter Block 









OOh 


WORD 


IPBLength 


The length, in bytes of the input parameter block, set a 
minimum of 008h 


02h 


WORD 


Reserved 


Reserved for future definition by this specification, set to 
OOOOh. 


04h 


WORD 


OPBLength 


Size of TPM Output Parameter Block allocated 


06h 


WORD 


Reserved 




08h 


BYTE 


TPMOperandIn 


The TPM Operand Parameter Block to send to the TPM 
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8.1.5.2 TPM Output Parameter Block 











OOh 


WORD 


OPBLength 


The length, in bytes, of the output parameter block, a 
minimum of 0004h. 


02h 


WORD 


Reserved 


Reserved for future definition by this specification, set to 
OOOOh. 


04h 


BYTE 


TPMOperandOut 


The TPM Operand Parameter Block received from the 
TPM 
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8.1 .6 TCPA_ShutdownPreBootlnterface 

INT lAh. (AH)=:BBh, (AL)=03h 

The I PL Code issues this call once it has its mntime access to the TPM available, and causes the 
system fimriware to no longer respond to TCPA BIOS requests through this interface until the next 
system restart. 

Calling this function is optional. 

On entry: 

(AH) = BBh 

(AL) = 03h 

(EBX) = TCPA' (41504354h) 

On retum: 

(EAX) = TCPA.STATUS 
All other registers are preserved. 
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8.1.7 TCPA.LogEvent 
INT lAh, (AM)s«Bh, (AL)a04h 

This function MUST provide the TSS capability TSS.LogEvent. 

On entry: 

(AH) = BBh 

(AL) = 04h 

(ES) = Segment portion of the pointer to the LogEvent input parameter bloclc. 

(Dl) = Ofiset portion of the pointer to the LogEvent input parameter block. 

(DS) = Segment portion of the pointer to the LogEvent output parameter bloclc 

(SI) = Offset portion of the pointer to the LogEvent output parameter block 

(EBX) = TCPA*(41504354h) 

(ECX) = 0 

(EDX) = 0 

On return: 

(EAX) = TCPA.STATUS 
(DS:SI) = 

All other registers are preserved. 
8.1.7.1 LogEvent Input Parameter Block 





mm 






OOh 


WORD 


IPBLength 


The length, in bytes of the input parameter block, set to 
001 Oh 


Q2h 


WORD 


Reserved 


Reserved for future definition by this spedfication, set to 
OOOOh. 


04h 


DWORD 


HashDataRr 


The 32-bit physical address of the start of the data 
buffer to be logged. 


08h 


DWORD 


HashDataLen 


The length, in bytes, of the buffer referenced by 
HashDataPtr. 


OCh 


DWORD 


PCRIndex 


The PGR number to which the event is the logged. 


lOh 


DWORD 


LogEventType 


The EventType code to be logged with the resultant 
hash, as defined by the TCPA Trusted Subsystem 
Specification. 


14h 


DWORD 


LogDataPtr 


The 32-bit physical address of the start of the data 
buffer containing the TCPA_PCR_EVEIsrr data 
structure. 


18h 


DWORD 


LogDataLen 


The length, in bytes, of the TCPA_PCR_EVENT data 
structure. 
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8.1.7.2 LogEv nt Output Parameter Block 











OOh 


WORD 


OPBLength 


The length, in bytes, of the output parameter block, set 
to OOOCh. 


02h 


WORD 


Resented 


Reserved for future definition by this specification, set to 
OOOOh. 


04h 


DWORD 


EventNumber 


The event number of the event just logged. 
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8.1.8 TCPA^HashAii 

INT lAh, (AH)=:BBh, (AL)=05h 

This function I^UST provide the TSS capability: TSS^HashAII. 

On entry: 

(AH) = BBh 

(AL) = 05h 

(ES) = Segment portion of the pointer to the HashAII input parameter block 

(DI) = Offset portion of the pointer to the HashAII input parameter block 

(DS) = Segment portion of the pointer to the Digest 

(SI) = Ofteet portion of the pointer to the Digest 

(EBX) = TCPA' (41604354h) 

(ECX) = 0 

(EDX) = 0 

On return: 

(EAX) = TCPA.STATUS 

(DSrSt) = Referenced buffer updated to provide retum results. 
All other registers are preserved. 

8.1.8.1 HashAII Input Paranneter Block 











OOh 


WORD 


IPBLength 


The lengttn in bytes of the input parameter block, set to 
001 Oh 


02h 


WORD 


Reserved 


R^erved for future definition by this specification, set to 

O'ofOh. 


04h 


DWORD 


HashDataPtr 


The 324)it physical address of the start of the data 
buffer to be hashed. 


08h 


DWORD 


HashDataLen 


The length, in bytes, of the buffer referenced by 
HashDataPtr. 


OCh 


DWORD 


Algorithm ID 


The algorithm to use. In TCPA v1 . this MUST be 
TCPA^ALG.SHA. 
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8.1.9 TCPA_TSS 

INT lAh, {AH)=BBh, (AL)=06h 

This function provides optional TSS capabilities. If any TSS commands are implemented through this 
function TSS^GetCapability MUST be implemented to give the caller the ability to determine which 
TSS Operations are supported. If no TSS Operations are supported this function MUST return with 
TCAP_STATUS = TCPA_PC_UNSUPPORTED. 

The TSS in and out Operands are defined in the TSS Specification. 

On entry: 

(AH) = BBh 

(AL) = 06h 

(ES) = Segment portion of the pointer to the TSS input parameter blocic 

(Dl) = Offset portion of the pointer to the TSS input parameter block 

(DS) = Segment portion of the pointer to the TSS output parameter blocic 

(SI) = Offset portion of the pointer to the TSS output parameter block 

(EBX) = TCPA'(41504354h) 

(ECX) = 0 

(EDX) = 0 



On return: 
(EAX) 
(DS:SI) 



TCPA.STATUS 

Referenced buffer updated to provide retum results. 



All other registers are preserved. 



8.1.9.1 TSS Input Parameter Block 











"OOh 


WORD 


IPBLength 


The length, in bytes of the input parameter block, set a 
minimum of 008h 


02h 


WORD 


Reserved 


Reserved for future definition by this specification, set to 
OOOOh. 


04h 


WORD 


OPBLength 


Size of TSS Output Parameter Block allocated 


06h 


WORD 


Reserved 




08h 


BYTE 


TSSOperandIn 


The TSS Operand Parameter Block to send to the TPM 


2 TSS Output Parameter Block 










OOh 


WORD 


OPBLength 


The length, in bytes, of the output parameter block, a 
minimum of 0004h. 
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02h 


WORD 


Reserved 


Reserved for future definition by this specification, set to 
OOOOh. 


04h 


BYTE 


TSSOperandOut 


The TSS Operand Parameter Block received from the 
TSS 
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8.1 .1 0 TCPA.BIOSReserved 

INT 1Ah, (AH)=BBh, (AL)=07h to 07Fh 

Remaining sub-functions in the range 07h to 07Fh are reserved for future definition by this 
specification. 
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8.1.11 TCPA.BiOSVendorRes rved 
INT 1 Ah, (AH)=BBh. (AL)=80h to OFFh 

Reserved for Vendor specific functions. 



On entry: 

(AH) = BBh 

(AL) = nnh 

(EBX) = TCPA' (41504354h) 
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8.2 TPM Driv r Int rfaces 
8.2.1 Module Architectures 
8.2.1.1 TPM Supplied BIOS Drivers 







>^6: 
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8.2.1.2 Object Format of BIOS Drivers 

Both drivers provide a standard object format to the BIOS vendor as described in this section. 

The table below describes what the header oiF the BIOS drivers will look like and where the driver 
code should start. The BIOS will move the driver into high memory, and then call the start code of the 
driver. The driver code IVIUST be relocate-able and MUST be 32-bit code, capable of running in a flat 
segment memory model. 



BIOS Driver Header 



Offset 


Size 


Default-Value 


Description 


OOh 


WORD 


55AAh 


Signature used to designate the start of the BIOS driver. 
This is deliberately set different than the Option ROM 
header. 


02h 


DWORD 




Pointer to beginning of code (Offset to entry point for the 
driver). 


06h 


WORD 




Total size of the driver in bytes (including the header). 


08h 


DWORD 


OOOOOOOOh 


Base address of the TPM (as set by BIOS). 


OCh 


DWORD 


OOOOOOOOh 


Optional 2"° base address. This is for memory and I/O 
mapped or decoding I/O location/address (as set by 
BIOS). 


10h 


BYTE 


FFh 


IRQ Level (OOh is not assigned FFh is not required) (as 
set by BIOS and MUST be sharable). 


11h 


BYTE 


FFh 


DMA Channel (FFh in none assigned) (as set by BIOS). 


12h 


BYTE 




XOR-Checksum of entire driver including this header at 
driver builds time. This is not maintained by the BIOS. 


13h 


BYTE 


OOh 


Reserved and set to zero. 


14h 


DWORD 


OOOOOOOOh 


PCI PFA if appropriate. 


18h 


DWORD 


OOOOOOOOh 


USB, CardBus, etc 


1Ch 


DWORD 


OOOOOOOOh 


Reserved and set to zero. 


20h 


Variable 




Reserved for vendor specific data or is the entry point if 
vendor specific data not used. 
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XXh 



Entry point into driver. 



8.2.1.3 Basic assumptions for both BIOS Drivers 

8.2.1.3.1 GmpSTimer 

The CMOS feat Time Clock (RTC) will be available for both drivers and initialized by the caller. The 
RTC will b& avdiiablB by Its legacy i/O addresses. 



8.2.1.3.2 Mdtherie^^ard thrtlalization 

All Motherboard chipset irutia|izatipn (concerning the communication channel to TPiyi device) will be 
completed by the CkfM or #6ST-Bl6s prior to calling the BIOS -CRTIUI-Driver or POSt-Diiver. 



8.2.1.3.3 Basic requirements 

The BIOS drivers MUST fulfill the following requirements: 

• The drivers MUST be completely self-contained since no BIOS services should be used; 

• The drivers MUST check the validity of all the input parameters; 

• The drivers MUST include block chaining for the transmission of large data blocks to and 
from the TPM device; 

• The drivers are responsible to add and remove all TPM-Vendor specific protocol information f 
to the TCPA-Transfer-Data (TCPA-Command); 
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8.2.2 M mory Abs nt (MA) Driver 
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8.2.2.1 MA Driver Limitations 

• No DMA 

• No IRQ 

• No Physical Memory 

• MA-Driver Register usage table (General-Purpose and Segment register): 



Register 


Size 


In / Out 


Description 


EAX 


32 


Not available 


Driver must preserve this register. 


EBX 


32 


Not available 


Driver nnust preserve this register. 


ECX 


32 


In / Out 


Driver I/O; Set by the caller. 


EDX 


32 


In / Out 


Driver I/O; Set by the caller. 


ESI 


32 


Not available 


Driver must preserve this register 


EDI 


32 


Not available 


Driver must preserve this register. 


ESP 


32 


In (Offset) 


Offset of the pointer to argument packet see 
Section 8.2,2.2. Set by the caller. 


SS 


16 


In (Segment) 


Segment of the pointer to argument packet see 
Section 8.2.2.2. Set by the caller. 



• All other registers MAY be used as working registers by the MA driver without preserving them. 

• The IA-32 processor (PHI, Athlon or equivalent processor) architecture supports MMX/ 3DNow 
and FPU. It MAY be negotiated between the BIOS vendor (more specifically the vendor of the 
Core RTM) and the supplier of the Core-RTM-Driver (typically the TPM vendor) that this Driver 
can use the MMX/3DNow register MMO through MM7 as woricing registers. (Note: The MMX 
registers are mapped to the physical location of the floating-point registers (RO through R7). This 
means when a value is written into an MMX register using an MMX instruction, the value also 
appears in the corresponding floating-point register.) 

Trademarks 

• AMD, the AMD logo. AMD Athlon, K6. SDNowl. and combinaticns thereof, and K86 are trademarks, and AMD-K6 is a 
registered trademarks of Advanced Micro Devices. Inc. 

• Microsoft is a registered trademark of Microsoft Corporation. 

• MMX is a trademark and Pentium is a registered trademark of Intel Corporation. 

• Other product names used in this pubfication are for identification purposes only and may be trademarks of their respective 
companies. 
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8.2.2.2 MA Driver Argument Packet Structure 

On entry to the MA driver, SS:ESP points to an instance of this structure. The CRTM ^4AY have one 
or more of these structures per function to allow multiple calls into a single function from different 
locations. 

MADriverArgPacketStruct STRUG 

ReturnAddr DD ? ; [IN] Return address. Allows driver to retrun via RET. 

HeaderPtr DD ? ; [IN] Pointer to the BIOS Driver Header (Reference 8.2.1.2). 

PunctionNum DB ? ; [IN] Function number identifing the function to perform. 
MADriverArgPaclcetStruct ENDS 

8.2.2.3 Parameters and Structures 



8.2.2-3,1 Pararneter pblnBuf 







Description 


1 Pointer to start address of the input data for the data trarisfers to Ti^M. 


8,2.2,3,2 Parameter dwJnPpRLen 






Description 


upper IB bits contains the PCRfndex. the lower 16 bits contain the length of 
the input data record ~ 1 . (i.e.. FFFFh hashes 65536 bytes.) 


8.2.2.3.3 Parameter bMAInitTPMFcttd 






Description 


Selects the TPM-Operation for the CRTM-Driver initialization. 
00h= No TPM-Operatron is selected. 

To activate the TPM_Startup command set this parameter with a 
TCPA_STARTUP_TYPE identifier specified in the Main Specification (see 
TPM.Startup section In Main Specification). 


8.2.2.3.4 Parameter bMAPhyPresenceTPMCmdld 






Description 


Selects the TPM-Operatiori^te^^e^Rlry^rds^^ command. 

This value is used in the TPM-Param-Block of the TPM_PhysicalPresence 
command. For the detailed definition of this identifier please use the Main 
Specification. 
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8.2.2.4 MA Driver Functions 

8.2.2.5 IVIA Driver Function Int rfac 

The function number is contained in \he FunctionNum field of the MADriverArgPacketStmct stmcture 
(Reference Section 8.2.2.2). The base for the function numbers is 01h. The offset for vendor specific 
driver function numbers is 80h. All functions return their exit code in the DL Register. 



8.2.2.5.1 Function MAInitTPM (Function Number: Olh) 

The first call to the MA Driver must execute this function. This function does the initialization of the 
TPM and establishes and verifies the communication (with the parameters from the header) between 
the MA Driver and the TPM. If a TPM Operation is selected by the bTPMInitCRTMFctid parameter 
this function will send the command string to the TPM. 

A TPM device can be opened with the same address only once by one host at a time. If the 
requested access cannot be granted (e.g., invalid input parameter) or if opening the connection to the 
TPM ends unsuccessfully, the function returns corresponding errorCode. 



Input Parameters 



DL = bMAInitTPMFctId 

Function identifier for the TPM_Startup operation (see 8.2.2.3.3). 



Retum Value 



DL = retum value of this function 



One of the following values: 

TPM^^OK 

TPM_IS^LOCKED 

TPIVI^NO^RESPONSE 

TPM_INVALID_RESPONSE 

TPM_RESPONSE_TiMEOUT 

TPM_INVALID_ACCESS_REQUEST 

TPM_FIRMWARE.ERROR 

TPM.GENERAL^ERROR 

TPM_TRANSFER_ ABORT 

TPI\fl,TCPA_COIVIitflAND.ERROR 
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Input Parameters 


EDX ^*f)bmBuf 

Pointer to the start address of Input buffer containing the data for the TPM 
device (see 8.2.2.3.1). 

ECX^dwinPCRLen 

PCRIndex and Length of the input buffer data (see 8.2.2.3.2). 


Return Value 


DL = mtum value of this function 

One of the following values: 
TPM^OK 

TPM.lS_LOCKED 
TPM.NO RESPONSE 
TPM.INVALID RESPONSE 
TfM^RESPONSE^TIMEOUT 

TFM.RRMWARE ERROR 
TPM.GENERAL^ERROR 
TPM„TRANSFER_ABORT 
TPM_TCPA_COiyiMAND ERROR 
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8.2.2.5.3 Function MAPhysicalPresenceTPM (Function Number: 03h) 








Input Parameters 


DL = bMAPhyPresenceTPMCmdId 


Command Identifier for the TPM_PhysicalPresence operation (see • 




8.2.2.3.4). 


Return Value 


DL = return value of this function 




One of the following values: 




TPM OK 




TPM IS LOCKED 




TPM NO RESPONSE 




TPM INVALID RESPONSE 




TPM RESPONSE TIMEOUT 




TPM INVALID ACCESS.REQUEST 




TPM FIRMWARE ERROR 




TPM GENERAL ERROR 




TPM TRANSFER ABORT 




TPM TCPA.COMMAND_ERROR 
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8.2.3 Mem ry Present (MP) Driver 

8.2.3.1 Architecture 




Application (BIOS) 



POST-Drlver interface 




■ Figure - 7.1 Pre-Boot Driver Internee 



Version 1.00 September 09, 2001 

TCPA PC Specific implem ntation Specification 



Copyright TCPA 2001 



TCPA PC Specific Spedfication Final Page 62 

8.2.3.2 MP Driv r Limitations 

• No Interrupts are allowed. The MP driver MUST poll the TPM. 

• The MP driver MAY be relocated after MAInitTPM and at any time between call MP driver 
functions. 

• MP Driver needs to be placed into ACPI non-reclaimable area. The driver MUST support being 
relocated between calls. 

• The resources allocated to the TPM MAY be changed by the BIOS between calling MP driver 
functions, therefore, the MAInitTPM function MUST be recallable. 

• All registers not used for return parameters MUST be preserved. 

• MP Driver needs to be built such that it has any data memory it requires is part of the body of the 
driver image. 
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8.2.3.3 Parameters and Structures 









diBScnptiSH 


Pdihfef to input data for the dati tr^hSSis^ 





8.3,3-3.2 Pgrgmeter pfjQMtBuf 




^^3^3 Pararnet^r d^nLen 
I Description I Length of the input data record. 



8.2,3,3.4 Parameter dwQutLen 









iillllllillillililllll 


iDescQBtion 




of tlie<Qutput^dala>r6cord. 





8.2.3.3.5 Strucjure TPMTransmltEnt 




TPMTransmitEntryStruct STRUG 

pblnBuf DD ? ; [IN) Pointer to ii^ut data for the data transfers to TPM. 

dwinLen DD ? ; [in J Length of the input data record. 

pbOutBuf DD 0 ; [OUT] Pointer to output buffer for the data from the TPM. 
dwOutLen DD 0 ; (IN/OUT) DWORD to store the length info of the output data record. 
TPMTransToitEntryStruct BHDS 



The parameter pdwOutLen is both an Input and output parameter 

As input (entry point of this function) it specifies the maximum number of bytes, which can be read 
from the TPM device to the output buffer. If the function terminates successfully the value of this 
variable is adjusted to match with the number of bytes received from the TPM. 



8.2.3.3.6 Parameter IpTPMTranslnfo 





Description 


Pointer to a TPMTransmitEntryStruct, which carries the input and output 
parameters for data transfer between host system and TPM device. 



Version 1.00 September 09, 2001 

TCPA PC Sp cificlmpi mentation Spe ification 



Copyright TCPA 2001 



TCPA PC Specific Specification 



Final 



Page 64 



8.2.3.4 MP Driver function interfac 

The AL-Register contains the function selector number for the different functions of this driver (the 
base for this is 01 h). The dffseX for vendor specific driver function numbers is 80h. All these functions 
returns there exit code in AL-Register. 



8.2.3.4.1 Function IMPInitTPIM (Function-Nr-AL-Register: 01 h) 

This function is perfomied the first time the driver is called. It is used to initialize the TPM if not 
already done by the BIOS Boot Block or if there are some differences between the communication 
parameters for the CRTM and POST-Phase. This function must be also called if the BIOS moves the 
I/O address used by the TPM (such as if BIOS perfomis PnP conflict resolution). 

This function does the initialization of the TPM and the driver and establishes (opens a connection) 
and verifies the communication (with the parameters from the header) between the POST-Driver and 
the TPM. If the interrupt number is set to FFh no intenrupts are generated. This means the interrupts 
are disabled in the TPM device and the communication runs in polling mode this is the default mode. 

A TPM device can be opened with the same address only once by one host at a time. If the 
requested access cannot be granted (e. g. invalid input parameter) or if opening the connection to the 
TPM ends unsuccessfully, the function retums corresponding errorCode. 





Input Parameters 


All necessary Inputs are located in the driver header structure (see 8.2.1 .2). 


Output Parameters 


None 


Return Value 


AL = return value of this function 

One of the following values: 
TPM OK 

TPM^INVALID_ADR^REQUEST 
TPM IS LOOKED 
TPM INVALID DEVICEJD 
TPM INVALID VENDOFLiD 
TPM RESERVED REGJNVALID 
TPM FIRMWARE.ERROR 
TPM UNABLE TO OPEN 
TPM GENERAL ERROR 
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8.2.3.4.2 Functi n MPCi seTPM (Functlon-Nr-AL-Register: 02h) 

Closes a connection to a TPM device with the specified parameters in the header. Ali data related to 
this connection to the device, such as allocated memory, are released. The registers in the 
configuration space of the TPM device are reinitialized to the reset status and the logical device is 
deactivated. 

If the specified parameters in the header are not valid, or if closing of the connection to the TPM ends 
unsuccessfully, the function fails and returns corresponding errorCode. 




Input Parameters 



Ml necessary inputs are located in the driver header structure (see 8>2.1 .2). 



Output Parameters 



None 



Return Value 



AL = return value of this function 



One of the following values: 
TPM^OK 



TPMJNVALtD_ADR_REQUEST 



TPM_UNABLE_TO„CLOSE 
TPM_GENERAL_ERROR 
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8.2.3.4.3 Function MPGetTPMStatusinf (Function-Nr-AL-Register: 03h) 

This function reads the current error and status information from the TPM device. All data related to 
this connection, such as allocated memory, are still valid. 

If the specified parameters in the header are not valid, or this device is not yet open, the function fails 
and returns an error flag. 




Input Parameters 



AH necessary inputs are located in the driver header stnicture (see 8.2, 1 2), 



Output Parameters 



None 



Return Value 



EAX = return value of this function 



For the coding of the return value see 8.2.3.5. 
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8.2.3.4.4 Functi n MPTPMTransmit (Functi n-Nr-AL-Regi$ter: 04h) 

Transmits the data from the input buffer CpblnBuf) to the TPM and reads the response from the TPM 
to the output buffer {^pbOistBuf). After successful Power-On and opening a TPM connection, the host 
can send the first request to the TPM by writing the bytes to the TPM. When the request is processed 
by the TPM and the response is available the TPM fimiware issues an intemipt (or polling by the host 
if the interrupt is disabled) and the host can read it 

This function is responsible for block chaining and error handling during the interaction with the TPM 
device ov6r communication internee. 

All vendor specific transport protocol infomnation are added and removed by this function. The input 
and output buffer contains only TCPA-Command-Param-Lists. this data streams are opaque to this 
function. This means that the TCPA-Command-Param-Lists in these buffers will be not Interpreted or 
reorganized by this function. 

If no open connection to a TPM device is available, if it returns no response, if the function calling 
parameters are invalid, or the transmission of the data block to the TPM ends unsuccessfully, the 
function fails and returns corresponding envrCode. 











input Parameters 


ES7 = pointer to a TPMTransmitEntryStruGt (see 8.2.3.3.5). 
pUnBuf 

Pointer to the input buffer containing the data (TCPA command string) for 
the TPM device (see 8.2.3.3.1). 

dw!nLen 

Length of the input buffer data (see 8.2.3.3.3). 


Input/Output Parameters 


pdwOutLen 

Pointer to store the length info of the received data (see 8.2.3.3.4). It also 
carries the size (input) of the OutBuf to store the response of the TPM 
device. 


Output Parameters 


pbOutBuf 

Pointer to the output buffer to store the data from the TPM device (see 
8.2.3.3.2). 


Retum Value 


AL = retum value of this function 

One of the following values: 
TPM^OK 
TPM IS LOCKED 
TPM_MO.RESPONSE 
TPM^INVALID RESPONSE 
TPM^RESPONSE TIMEOUT 
TPM^INVALID ACCESS REQUEST 
TPM RRMWARE ERROR 
TPM.GENERAL ERROR 
TPM.TRANSFER ABORT 
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8.2.3.5 Return-Values for MPGetTPMStatuslnfo (Function: 03h) 

If the return value is zero no error condition is active for this TPM connection. This status is the OK- 
Status of the TPM device. 





mM^Mm- ■ ^-^^^^^^^ - ■ ' --v • z^- r:V;.^ril 


Bit 


Descriptions 


0 


If set a general error condition Is active for this TPM connection. For details evaluate the condition 
of the following error information (Bit 1 :15). 


1 


Invalid status/error request access. 


2 


If set a general firmware enx)r occun^ed during start up of the TPM firmware. 


3 


Time out occunred during send process of the request sequence to the TPM device. 


4 


Response time out in TPM communication. 


5 


Transfer communication abort with the TPM device. 


6 


Reserved. This bit is read-only and has a value of 0. 


7 


Reserved. This bit is read-only and has a value of 0. 


8 


Reserved. This bit is read-only and has a value of 0. 


9 


Reserved. This bit is read-only and has a value of 0. 


10 


Reserved. This bit Is read-only and has a value of 0. 


12 


Reserved. This bit Is read-only and has a value of 0. 


13 


Reserved. This bit is read-only and has a value of 0. 


14 


Reserved. This bit is read-only and has a value of 0. 


15 


Reserved. This bit is read-only and has a value of 0. 


16 


If set a general status infonmation is available for this TPM. For details evaluate the condition of the 
following status information (Bit 17:31). 


17 


The TPM device is not personalized (e. g. Endorsement key pair is missing). 


18 


Integrity discrepancy in the TPM initialization. 


19 


Self-Test of TPM device complete. 


20 


Data tiransmission with TPM device active. 


21 


Reserved. This bit is read-only and has a value of 0. 


22 


Reserved. This bit is read-only and has a value of 0. 


23 


Reserved. This bit is read-only and has a value of 0. 


24 


Reserved. This bit is read-only and has a value of 0. 


25 


Reserved. This bit is read-only and has a value of 0. 


26 


Reserved. This bit is read-only and has a value of 0. 


27 


Reserved. This bit is read-only and has a value of 0. 


28 


Reserved. This bit is read-only and has a value of 0. 


29 


Reserved. This bit Is read-only and has a value of 0. 


30 


Reserved. This bit is read-only and has a value of 0. 


31 


Reserved. This bit is read-only and has a value of 0. 
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8.2.3.6 Error and Return C des 

The base number for the return codes is TPM.RET^BASE = Olh. The catalog of error and return 
codes can be extended to Include TI>M vendor specific return codes at tfie end of this list 

If either driver fails to communicate with the TPM it MUST do one of the following: 

• Penmanently disable the connection to the TPM, 

• Take action to prevent the platfonm from loading the Operating System, 

• Perfomi a Platform Reset, or 

• Force transfer control of the platform to a manufacturer approved environment. 



TPWLOK 

TPIVLGENERALERROR 

TPM_NO_RESPONSE 
TPMLINVALip^RESPQNgE 
TJ2M.JNyAt£iP^ACJS.EjS3»REQUEST 
TPM^FIRMWARE ERROR 
TPM^INTEGRlTY.eWECieFAILED 
TPM_INVALID_DEVIGE ID 

«"Iw_inval.id_vendqr id 

TPM Uf4ABLE TO GLOSE 
TPM_RESP0JNSE_TJMEOUT 

tpwDnSSEidI^ 


OOh 

TPM_RET BASE + 00 
TPM RET BASE + 01 
TPM_RET_BASE + 02 
TRM^RET^BASE + 03 
-.TEMm R^BASE + 04 
TPM_RET BASE + 05 
TPM.RET^BASE + 06 
TPM_RET BASE + 07 
TPM_RET_BASE + 08 
tpm ret base + 09 

XDK/I OCT DACC j. <tn 

irrM Kcl dAoc + 10 
TPM PPT R A«QP ^ i i 

TPM RET BASE + 12 


Indicator of successfu! execution of ttie flincUon. 

A general unident'rfied error occurred. 

The access cannot be arairted th^ dRvfr^ Iq nnon 

No re$ponse from the TPM device 

The resDorise from the TPM was invalid. 

^heaGGess-parameters'torthis^nctionare invalid. 

Firmware error during start up. 

Intearitv checks of TPM parameter failed. 

The device ID for the TPM is invalid. 

The vendor ID for the TPM is invalid. 

Unable to open a connection to the TPM device 

Unable to close a connection to the TPM device. ^ 

Time out for rpM response. 

Tfte parameters for the communication access are invalid. 


TPM JNVALID_>^DR : BEStil EST 
TPM^WRITE_BYTE_ERR(5R 
TPM_READ^BYTE^ERROR 
TPM.BLOGieWRITe_TIMEOUT 
TPM^CHAR^WRIiTE TlMEQUT 
TPM^CH/M^ReAD^TIMEOUT 
TPM^BLOeieREAD TIMEOUT 
TPM_TRANSFER^ABORT 
TPM_INVAL!D^DRV FUKCTION 

TpM_FATAL^COMLERROR 
TPM_INVALiD_INPUT PARA 
TPM.TCPA^COMMAND.ERROR 


TPM_RET_BASE + 13 
TPM_RET_BASE + 14 
TPM_RET^BASE+ 15 
TPM RET BASE+ 16 
TPM_RET_BASE + 17 
TPM RET BASE + 18 
TPM_RET_BASE + 19 
TPM RET BASE + 20 
TPM_RET_BASE + 21 
T^M.a&T. B)5.SE + 22^ 
TPM RET BASE + 23 
TPM RET BASE + 24 
TPM RET BASE + 25 


The address parameter for the access Is invalid 

Bytes write error on the interface. 

Bytes read error on the Interlace. 

Blocks wnte error on the interface. 

Bvtes wnle time out on the interface. 

Bytes read time out on the interface. 

Blocks read error on the interifiace. 

Transfer abort in communication with TPM device. 

Function number (AL^Reglste^ in^^^|d for thrs driver. 
kOut^t^btifrdT? fqir the1[iftW?respdIli5^to short. 
Fatal error In TPM communitation. 

Input parameter for the fonction Invalid. 

En-or during execution of a TCPA command. 




















TPM_VENDOR_BASE_RET 


128 


Start point for return codes are reserved for use by TPM 

vendors. 
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8.3 Physical Presenc 
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The Motherboard MAY provide a mechanism that provides proof of a human's physical presence to 
the Platfomi. 



8.3.1 Physical Switch 

A physical switch or jumper or momentary button that when activated provides a Physical Presence 
signal to the TPM. It MUST NOT be possible to generate this signal from software. This switch, 
jumper, or button MUST be in a location typically inaccessible to the user during the normal operation 
of the platform. Example: A DIP switch connected to the Motherboard which is within the platform 
case. 



8.3.2 Indication of Physical Presence from the CRTIVI 

The CRTM MAY be designed to detect the user's physical presence and use the 
TSC_PhysicalPresence operation to indicate physical presence to the TPM. If a utility extemal to the 
CRTM is predicated upon an indication of physical presence, it MUST be designed such that it can 
only be executed if the user Is physically present at the platfonm (e.g., insertion of a floppy disk. USB 
device, pressing a button) The CRTM MUST perform one of the two following sequences based on 
the indication of physical presence: 

• Physical Presence NOT indicated: Exit normally, processing the remaining portions of the 
pre-boot environment. 

In this option, prior to exiting the CRTM, it MUST set the physicalPresenceMask flag 
appropriate to the design of the platfomi. If physicalPresenceMask is TRUE, the CRTM 
MUST set the PhysicallyPresent to FALSE and PhysicalPresenceLock to TRUE. 

• Physical Presence IS indicated: Transfer control of the platform to the utility that requires 
physical presence. 

Prior to transferring control of the platform to the utility that requires physical presence, the 
CRTM MAY leave the PhysicalPresenceMask, PhysicallyPresent, and, the 
PhysicalPresenceLock flags in any state appropriate for the design of the platfonm and entry 
into the utility. However, upon exit from the utility, it MUST set the physicalPresenceMask flag 
appropriate to the design of the platform. If physicalPresenceMask is TRUE, the CRTM 
MUST set the PhysicallyPresent to FALSE and PhysicalPresenceLock to TRUE. 
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